From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:34849)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1S2VNh-0002sC-Ih
	for qemu-devel@nongnu.org; Tue, 28 Feb 2012 17:18:51 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1S2VNf-0002xk-AK
	for qemu-devel@nongnu.org; Tue, 28 Feb 2012 17:18:49 -0500
Received: from v220110690675601.yourvserver.net ([78.47.199.172]:33442)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1S2VNf-0002xc-1F
	for qemu-devel@nongnu.org; Tue, 28 Feb 2012 17:18:47 -0500
Message-ID: <4F4D52C2.7050304@weilnetz.de>
Date: Tue, 28 Feb 2012 23:18:42 +0100
From: Stefan Weil <sw@weilnetz.de>
MIME-Version: 1.0
References: <cover.1329493546.git.jan.kiszka@siemens.com>
	<0715077165dcc37924cd9113ea7ba23ddb043a22.1329493546.git.jan.kiszka@siemens.com>
In-Reply-To: <0715077165dcc37924cd9113ea7ba23ddb043a22.1329493546.git.jan.kiszka@siemens.com>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 2/3] slirp: Fix requeuing of batchq packets
 in	if_start
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Zhi Yong Wu <wuzhy@linux.vnet.ibm.com>, qemu-devel@nongnu.org, Fabien Chouteau <chouteau@adacore.com>

Am 17.02.2012 16:45, schrieb Jan Kiszka:
> In case we requeued a packet that was the head of a longer session
> queue, we failed to restore this ordering. Also, we did not properly
> deal with changes to Slirp::next_m.
>
> Instead of a cumbersome roll back, this fix simply avoids any changes
> until we know if the packet was actually sent. Both fixes crashes due
> to inconsistent queues and simplifies the logic.
>
> Thanks to Zhi Yong Wu who found the reason for these crashes.
>
> CC: Zhi Yong Wu <wuzhy@linux.vnet.ibm.com>
> CC: Fabien Chouteau <chouteau@adacore.com>
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
> slirp/if.c | 35 +++++++++++++++++++----------------
> 1 files changed, 19 insertions(+), 16 deletions(-)

Latest QEMU crashed here 4 times with MIPS Malta
when I tried 'apt-get update' in the guest. See gdb output
below for details.

I only got the crash with big endian MIPS, not with little
endian which is strange.

After I reverted the above patch, MIPS Malta worked
again as before.

So maybe we changed one crash against a new one.

Regards,

Stefan Weil


Program received signal SIGSEGV, Segmentation fault.
0x000055555577b2a4 in ifs_insque (ifm=0x555556eb0e10, ifmhead=0x0) at 
/home/stefan/src/qemu/repo.or.cz/qemu/ar7/slirp/if.c:14
14              ifm->ifs_next = ifmhead->ifs_next;
(gdb) p ifmhead
$1 = (struct mbuf *) 0x0
(gdb) l
9       #include "qemu-timer.h"
10
11      static void
12      ifs_insque(struct mbuf *ifm, struct mbuf *ifmhead)
13      {
14              ifm->ifs_next = ifmhead->ifs_next;
15              ifmhead->ifs_next = ifm;
16              ifm->ifs_prev = ifmhead;
17              ifm->ifs_next->ifs_prev = ifm;
18      }
(gdb) i s
#0  0x000055555577b2a4 in ifs_insque (ifm=0x555556eb0e10, ifmhead=0x0) 
at /home/stefan/src/qemu/repo.or.cz/qemu/ar7/slirp/if.c:14
#1  0x000055555577b487 in if_output (so=0x555556ea0bd0, 
ifm=0x555556eb0e10) at 
/home/stefan/src/qemu/repo.or.cz/qemu/ar7/slirp/if.c:81
#2  0x000055555577cf2c in ip_output (so=0x555556ea0bd0, 
m0=0x555556eb0e10) at 
/home/stefan/src/qemu/repo.or.cz/qemu/ar7/slirp/ip_output.c:84
#3  0x00005555557863f2 in tcp_output (tp=0x555556ea0c80) at 
/home/stefan/src/qemu/repo.or.cz/qemu/ar7/slirp/tcp_output.c:456
#4  0x000055555577fd66 in slirp_select_poll (readfds=0x7fffffffda10, 
writefds=0x7fffffffda90, xfds=0x7fffffffdb10, select_error=0)
     at /home/stefan/src/qemu/repo.or.cz/qemu/ar7/slirp/slirp.c:477
#5  0x000055555572d8c0 in main_loop_wait (nonblocking=1) at 
/home/stefan/src/qemu/repo.or.cz/qemu/ar7/main-loop.c:469
#6  0x0000555555721a61 in main_loop () at 
/home/stefan/src/qemu/repo.or.cz/qemu/ar7/vl.c:1558
#7  0x00005555557284a2 in main (argc=25, argv=0x7fffffffdfe8, 
envp=0x7fffffffe0b8) at /home/stefan/src/qemu/repo.or.cz/qemu/ar7/vl.c:3667
(gdb) up
#1  0x000055555577b487 in if_output (so=0x555556ea0bd0, 
ifm=0x555556eb0e10) at 
/home/stefan/src/qemu/repo.or.cz/qemu/ar7/slirp/if.c:81
81                              ifs_insque(ifm, ifq->ifs_prev);
(gdb) p *ifq
$2 = {m_hdr = {mh_next = 0x5555564bfc48, mh_prev = 0x0, mh_nextpkt = 
0x0, mh_prevpkt = 0x0, mh_flags = 0, mh_size = 1562, mh_so = 
0x555556ea0bd0, mh_data = 0x555556eb0ea0 "E",
     mh_len = 1500}, slirp = 0x5555564bfb80, arp_requested = false, 
expiration_date = 18446744073709551615, M_dat = {m_dat_ = "", m_ext_ = 0x0}}